CVE-2013-4315
Published: 16 September 2013
Directory traversal vulnerability in Django 1.4.x before 1.4.7, 1.5.x before 1.5.3, and 1.6.x before 1.6 beta 3 allows remote attackers to read arbitrary files via a file path in the ALLOWED_INCLUDE_ROOTS setting followed by a .. (dot dot) in a ssi template tag.
Priority
Status
Package | Release | Status |
---|---|---|
python-django Launchpad, Ubuntu, Debian |
lucid |
Released
(1.1.1-2ubuntu1.9)
|
precise |
Released
(1.3.1-4ubuntu1.8)
|
|
quantal |
Released
(1.4.1-2ubuntu0.4)
|
|
raring |
Released
(1.4.5-1ubuntu0.1)
|
|
upstream |
Released
(1.5.3-1)
|
|
Patches: upstream: https://github.com/django/django/commit/87d2750b39f6f2d54b7047225521a44dcd37e896 upstream: https://github.com/django/django/commit/3203f684e8e51cbfa1b39d7b6a56e340981ad4d5 upstream: https://github.com/django/django/commit/988b61c550d798f9a66d17ee0511fb7a9a7f33ca |